RISK MANAGEMENT STRATEGIES
The Little Black Book of Computer Security, 2nd Edition
Joel Dubin, Contributor
08.27.2008
Rating: -4.75- (out of 5)
The following is an excerpt from the book, The Little Black Book of Computer Security, 2nd Edition. In this section of Chapter 19: Working with Compliance Auditors and Regulators (.pdf), author Joel Dubin reviews how to comply with today's most common government regulations.
Not only do you have to contend with meeting your own, internal IT-security standards, but you also have to face a wide
array of government regulations and industry standards. Sometimes, it seems
like you spend more time and resources on complying with these regulations
and standards than on actually doing any business.
Regulations vary from country to country and from state to state within
the U.S. On top of all that, additional, industry standards exist to be followed,
such as the PCI DSS for companies that issue or accept credit cards (meaning
almost every company today). Although it's not a government body, the PCI
Security Standards Council wields as much power as one. In the worst-case
scenario, it will ban a noncompliant company from using credit cards at all.
Furthermore, if you do business globally, you'll have additional sets of
regulatory headaches.
Despite the thicket of different regulations, similar threads run throughout
all of them. Organizing your security program along these lines will provide
a good first step toward meeting any compliance mandate, even new
ones that may arise.
Important
Bear in mind that compliance doesn't equal security. Some regulations
do offer a good framework that, if followed to the letter,
will take your company far on the road to achieving a high level
of information security. However, checking off everything on
someone else's checklist will not meet your internal IT-security
requirements. You'll need to keep your eye on your own security
program while making sure that it meshes with the compliance
requirements — a delicate balance, indeed, at times.
Here is a sample of the most com
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
mon government regulations and
industry standards that you'll most likely face in the U.S.:
Outside the U.S., some of the most common regulations and regulatory
bodies are:
So, how do you comply with all these regulations but prevent your staff
from trading other, productive work for the constant gathering of the information
that keeps the regulators at bay?
One strategy is to implement an overarching security framework that
covers all the bases. Three of the most common are ISO 27001, COBIT, and
INFOSEC from the National Security Agency (NSA). These frameworks
provide excellent guides for benchmarking an information security program,
and strict adherence also ensures compliance with most of the elements of the
regulations just cited.
But even if you use these frameworks, you'll still need to make sure that
you're compliant with the fine points of each regulation that affects your
company. Unfortunately, multiple regulations and overlapping requirements
impact most companies. The good news is that these frameworks make it
easier to sort out and simultaneously comply with the regulations and
requirements.
Another strategy entails working with your internal auditors. Too often,
an adversarial relationship exists between auditors and IT departments —
particularly IT-security departments. Auditors are perceived as by-the-book
nitpickers who interfere with daily operations and ask a lot of meddlesome
questions. But, the reality is that auditors can be the allies who both work
with you to review your adherence to regulations and make sure that you're in
top shape before the regulators come knocking on your door.
Here are the basics for preparing for auditors and regulators:
Reproduced from the book The Little Black Book of Computer Security Copyright [2008], Penton Technology Media. Reproduced by permission of Penton Media, Inc. Written permission from Penton Media, Inc. is required for all other users.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
